b'                                    August 20, 2004\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   MEMORANDUM REPORT: CONTROLS TO\n                           PREVENT UNAUTHORIZED ENTRY INTO THE\n                           NRC PARKING GARAGE (OIG-04-A-17)\n\n\nSUMMARY\n\nThe Office of the Inspector General (OIG) conducted a limited scope review to\nassess U.S. Nuclear Regulatory Commission (NRC) controls for preventing and\nmitigating unauthorized vehicle entries into the NRC headquarters parking\ngarage. OIG initiated this inquiry in response to an incident that occurred on\nApril 28, 2004, when a disoriented woman who had no official business with NRC\ndrove into the One White Flint North parking garage without stopping at the\nguard booth. Approximately 15 minutes after entering the garage, the woman\nwalked out of the garage at the Two White Flint North exit, where she was\nstopped and questioned by an NRC guard who was unaware that the security\nbreach had occurred.\n\nNRC determined that the security guard response to this incident was\nunsatisfactory, deducted $400 from the security guard contractor invoice for April\nbecause of the poor response, and requested an action plan from the contractor\nto improve future performance. The contractor responded by providing remedial\ntraining for its NRC guard force. In addition, the Director, Division of Facilities\nand Security, instructed Security Branch staff to develop specific guidance for\nsecurity officers on how to respond to unauthorized access situations.\n\x0c                             Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\nOIG found that although NRC responded quickly to address the poor\nperformance demonstrated by the guard force on April 28, the agency should\nimplement emergency drill training requirements contained in the security guard\ncontract and clarify security guard orders to ensure a better security guard\nresponse in the future.\n\nDESCRIPTION OF INCIDENT\n\nOn April 28, 2004, at approximately 5:40 a.m., a disoriented woman who had no\nofficial business with NRC drove past the guard posted at the One White Flint\nNorth driveway booth and into the garage without stopping. The guard\nimmediately notified the shift supervisor, via telephone, that an NRC \xe2\x80\x9cemployee\xe2\x80\x9d\nhad entered the garage without stopping. The supervisor subsequently made a\nbrief, limited in scope, unsuccessful attempt to locate the driver and then\nreturned to his office to obtain more information. However, instead of continuing\nhis search, the supervisor issued weapons to officers reporting for duty without\nmaking any notification to the guard force about the situation at hand. The\nwoman spent about 15 minutes walking around the garage before being detained\nby a guard at the Two White Flint North garage exit post who thought the woman\nappeared suspicious. At the time the guard stopped her, the woman, who was\nnot wearing shoes, had just walked out of the Two White Flint North garage.\nDuring this entire time period, officers were not notified that the breach had\noccurred and no organized search for the vehicle or driver was conducted.\nFurthermore, the woman was not searched before she was brought back inside\nthe building for further questioning. The woman\xe2\x80\x99s vehicle, which was\nsubsequently impounded by Montgomery County Police, was found on the P-1\nlevel of the Two White Flint North garage and a coat she dropped while\nwandering in the garage was found on the Two White Flint North P-2 ramp.\nAccording to a Division of Facilities and Security staff member, a switchblade\nknife was found in the woman\xe2\x80\x99s vehicle.\n\nNRC AND WACKENHUT RESPONSE TO INCIDENT\n\nBoth NRC and Wackenhut Services, Inc., NRC\xe2\x80\x99s contractor for guard services,\nagreed that the guard force response to the incident was unsatisfactory. In a\nMay 5, 2004, letter to Wackenhut, NRC faulted the shift supervisor for failing to\nalert the guards on duty that there was an intruder in the building and found it\nunacceptable that an effective search for the intruder was not immediately\nconducted. NRC also criticized the fact that the woman was not properly\nsearched before being brought back into the building for questioning. NRC\ndeducted $400 from Wackenhut\xe2\x80\x99s April 2004 invoice because of the contractor\xe2\x80\x99s\npoor performance and requested that Wackenhut provide a written plan of action\nto improve future performance. In response, on May 10, Wackenhut provided\nonsite remedial training for its NRC guard force on the use of deadly force,\nemergency communications, alert procedures, response timeliness, supervisor\nresponsibilities in general, and other topics.\n\n\n\n                                           2\n\x0c                             Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\n\nAccording to the Wackenhut project manager for the NRC contract and Division\nof Facilities and Security staff, an underlying cause of Wackenhut\xe2\x80\x99s poor\nresponse was the mischaracterization of the intruder as an NRC \xe2\x80\x9cemployee.\xe2\x80\x9d\nThe supervisor failed to question this characterization and responded to the\nincident as if it were not an emergency. Another problem, according to the\nproject manager, was the driveway booth guard\xe2\x80\x99s failure to use his radio to notify\nthe supervisor about the incident. Had the guard used his radio, the project\nmanager said, all officers on duty at the time would have been alerted about the\nsituation. The project manager said using one\xe2\x80\x99s radio to make the call to the\nsupervisor is a commonsense response that ought to be automatic.\n\nOIG notes that an appropriate response to this situation would also include the\nuse of a duress alarm that immediately notifies all posts that a potentially\ndangerous situation is underway. Because NRC\xe2\x80\x99s duress alarms do not have\nthis capability \xe2\x80\x93 they notify only the Central Alarm Station of imminent danger \xe2\x80\x93\nNRC guards must use their radios to perform this type of general notification.\n\nIn an effort to further ensure that guards understand what NRC expects of them\nin an emergency, the Division of Facilities and Security Director has directed\nSecurity Branch staff to develop more specific guidance for guards on how to\nrespond to access control incidents. While Division of Facilities and Security\nstaff cautioned OIG that responses cannot be prescribed for every emergency\nscenario, they acknowledged that fundamental expectations ought to be\ndocumented.\n\nACCESS CONTROL EMERGENCY DRILLS ARE NOT PART OF GUARD\nTRAINING REQUIREMENTS\n\nAlthough Wackenhut responded promptly to NRC\xe2\x80\x99s request for a plan of action to\nimprove future performance, neither the remedial training that was provided nor\nthe annual contract guard training requirements included the conduct of access\ncontrol emergency response drills. Such drills would allow guards to practice\naccess control procedures in response to incidents similar to that which occurred\non April 28. Such practice would help ensure that officers have practiced the\nskills required to respond to emergencies and that they are better prepared to act\nquickly and appropriately if a similar situation occurs in the future.\n\nNRC\xe2\x80\x99s contract with Wackenhut requires guards to receive basic training, in-\nservice training, and annual recertification training. One specific requirement\npertains to emergency response capability and requires NRC to conduct periodic\ntesting to ensure an acceptable level of training by security personnel for\nresponse to emergencies. However, NRC has not conducted access control\nemergency drills as part of this testing requirement. Furthermore, the remedial\ntraining provided by Wackenhut in response to the April 28 incident did not\ninclude any access control emergency drill training. According to the Division of\n\n\n\n                                          3\n\x0c                                    Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\nFacilities and Security Director, while no access control emergency drill training\nhas been conducted, the guards have participated in bomb emergency drills\nwhich call for a similar response to that required in an access control emergency.\n\nAccording to the Wackenhut project manager for the NRC contract, it is easy for\nguards to become desensitized to the emergency nature of their jobs because so\nfew incidents necessitating an emergency response occur. To help counter this\ntendency, the project manager said he rotates guards in and out of various posts\nand reminds them verbally of the importance of taking all situations seriously.\nFurthermore, he said, officers practice access control every day on the job.\n\nOIG contends that access control drills should be an integral part of annual\nofficer training. Although the guards practice access control on a routine basis,\nthe rare occurrence of emergency situations does not provide the opportunity to\npractice the quick thinking and aggressive response required in these situations.\nFurthermore, while the remedial training provided by Wackenhut is likely to\nensure that guards take all incidents seriously in the short term, there is no\nassurance that such heightened awareness will be sustained over the long term.\nDrilling annually on how to respond to access control emergencies will routinely\nremind guards of the need to treat all security breaches as potentially serious,\nensuring an appropriate response to such situations.\n\nRecommendation\n\nOIG recommends that the Executive Director for Operations:\n\n    1. Require the conduct of at least one annual access control emergency drill\n       as part of security guard training requirements.\n\nGUARD ORDERS DO NOT DESCRIBE EXPECTED RESPONSE\n\nNRC has specific post and general orders1 addressing garage access control.\nHowever, these written procedures are not specific enough to ensure that guards\nhave a clear understanding of how to proceed in an emergency.\n\nNRC\xe2\x80\x99s post and general orders contain guidance intended to prevent\nunauthorized individuals and vehicles from entering the garage and appropriately\nhandle such an entry should one occur. NRC General Order 10, Access Control,\ninforms security officers of the policy and procedures for access control to ensure\nthat only authorized personnel are admitted to controlled areas. NRC Post Order\n7 describes access control duties at the perimeter driveway guard booth during\n\n\n\n1\n  NRC post orders are permanent directives designed to provide procedures for the operation of each\nindividual guard post. These directives augment and supplement NRC general orders, which are permanent\ndirectives designed to standardize day-to-day procedures at all NRC facilities.\n\n\n\n                                                  4\n\x0c                              Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\nspecific hours of the day and night and is augmented by an attachment titled,\n\xe2\x80\x9cStandard Operating Procedures for Perimeter Driveway Guard Booth.\xe2\x80\x9d This\nlatter document includes information on when to lower and raise the traffic arm\nlocated at that post and the roll-up garage doors.\n\nOIG\xe2\x80\x99s review of these specific procedures revealed that the procedures do not:\n\nClearly state \xe2\x80\x9ccommonsense\xe2\x80\x9d expectations on how to proceed in an\nemergency. Division of Facilities and Security staff and the Wackenhut project\nmanager expressed various \xe2\x80\x9ccommonsense\xe2\x80\x9d principles that they said officers\nshould have known to employ during the April 28 incident. For example, the\nproject manager stated that the officer should have used his radio \xe2\x80\x93 not the\ntelephone \xe2\x80\x93 to notify the shift supervisor that the incident had occurred. The\nproject manager said this was a basic principle in responding to an emergency\nbecause it facilitates notification of all guards that an incident is underway. Yet,\nthe requirement to use the radio to alert officers of an unauthorized vehicle entry\nis not specifically written in NRC\xe2\x80\x99s post or general orders. A Division of Facilities\nand Security staff member further explained that a duress alarm located in the\ndriveway guard booth is to be used to notify the Central Alarm Station in\nsituations of imminent danger. Guidance on when to use the duress alarm \xe2\x80\x93\nversus the telephone or radio \xe2\x80\x93 also is not specified in the orders.\n\nDescribe a response that matches NRC\xe2\x80\x99s expectations on how to proceed\nin an emergency. According to Division of Facilities and Security staff, a\nreasonable response in the April 28 situation would have been immediately to\nstop traffic from entering or exiting the garage until the vehicle and driver could\nbe located. However, there are no specific procedures in General Order 10,\nAccess Control, or Post Order 7 (perimeter driveway guard booth) instructing\nofficers when such a technique is advisable. As another example, General Order\n10 instructs guards who encounter individuals in the building who are\nunauthorized to be there to escort them from NRC space. While the order\nspecifies that the person should be asked to leave \xe2\x80\x9cin a firm and polite manner,\xe2\x80\x9d\nno mention is made of the need to detain the person in order to ascertain how\nand why the person entered the space. According to the Wackenhut project\nmanager and NRC staff, such questioning would be necessary in order to assess\nwhether the person intended to cause harm and to determine what weakness\nallowed the person to gain access in the first place.\n\nRecommendation\n\nOIG recommends that the Executive Director for Operations:\n\n       2. Update general and post orders related to access control so that the\n          guidance clearly conveys NRC expectations for guard response as\n          well as \xe2\x80\x9ccommonsense\xe2\x80\x9d expectations concerning emergency response.\n\n\n\n\n                                           5\n\x0c                                          Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\nCONCLUSION\n\nThe April 28 security breach fortunately occurred without malice in that the\nintruder entered the garage because she was disoriented and apparently not to\ncause harm to NRC facilities or employees. However, it illustrates the\nvulnerability posed by the existing driveway configuration, which does not include\nactive vehicle barriers. According to Division of Facilities and Security staff, an\nintruder currently can gain easy entry into the garage any time the garage door is\nopen and there is virtually nothing in place to prevent this. Ultimately, NRC\nexpects to mitigate this vulnerability by reconfiguring the driveway access to the\ngarage through Lot 4.2 Even when the driveway reconfiguration is complete,\nhowever, NRC must employ the best possible measures to prevent intrusions\nand respond appropriately if one occurs.\n\nAGENCY COMMENTS\n\nDuring an exit conference held August 3, 2004, agency managers generally\nagreed with the report findings and recommendations, and offered clarifications\nconcerning NRC\xe2\x80\x99s security guard contract requirements and a suggestion\nconcerning the wording of Recommendation 1. This information was\nincorporated into the report, as appropriate. The agency reviewed these\nmodifications and did not provide subsequent comments to the report.\n\nConsolidated List of Recommendations\n\n       1. Require the conduct of at least one annual access control emergency drill\n          as part of security guard training requirements.\n\n       2. Update general and post orders related to access control so that the\n          guidance clearly conveys NRC expectations for guard response as well as\n          \xe2\x80\x9ccommonsense\xe2\x80\x9d expectations concerning emergency response.\n\nSCOPE AND METHODOLOGY\n\nTo accomplish this limited scope review assessing NRC\xe2\x80\x99s controls to prevent\nunauthorized entry into the agency\xe2\x80\x99s headquarters garage, auditors reviewed\nrelevant criteria such as the General Services Administration Contract Guard\nInformation Manual; NRC Security Officer\xe2\x80\x99s Book, which contains general and\npost orders; \xe2\x80\x9cStandard Operating Procedures for Perimeter Driveway Guard\nBooth,\xe2\x80\x9d attachment to Post Order 7; and the Wackenhut Statement of Work for\nSecurity Guard Services. Auditors also reviewed security incident reports\ndescribing the April 28 incident and NRC\xe2\x80\x99s letter to Wackenhut subsequent to the\nincident. Auditors interviewed Division of Facilities and Security staff and the\nWackenhut project manager to better understand the events that transpired\nduring the April 28 security breach and the agency\xe2\x80\x99s and contractor\xe2\x80\x99s responses.\n2\n    Lot 4 is the vacant lot behind One White Flint North acquired last year for this purpose.\n\n\n\n                                                         6\n\x0c                             Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\n\nThis work was conducted from June 3 to June 29, 2004, in accordance with\ngenerally accepted Government auditing standards. The work was conducted by\nBeth Serepca, Team Leader; Judy Gordon, Senior Management Analyst; and\nElizabeth Bowlin, Auditor.\n\nPlease provide information on the actions taken in response to the\nrecommendations directed to your office by September 20, 2007. Actions taken\nor planned are subject to OIG followup. See Attachment for instructions for\nresponding to OIG report recommendations.\n\nIf you have any questions or concerns regarding this report, please contact me at\n415-5915 or Beth Serepca at 415-5911.\n\ncc:   Chairman Diaz\n      Commissioner McGaffigan\n      Commissioner Merrifield\n\n\n\n\n                                          7\n\x0c                            Controls to Prevent Unauthorized Entry into the NRC Parking Garage\n\n\n\nDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nPatricia G. Norry, Deputy Executive Director for Management Services, OEDO\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nMichael L. Springer, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOffice of Public Affairs, Region I\nOffice of Public Affairs, Region II\nOffice of Public Affairs, Region III\nOffice of Public Affairs, Region IV\n\n\n\n\n                                         8\n\x0c'